Skillset

Dropbox, the handy Cloud based storage for files, has been one of those amazing tech success stories. As of May 2016, Dropbox had over 500 million registered users with around 1.2 billion files uploaded to Dropbox every day. Dropbox is also a collaborative tool, with 3.3 billion shared connections. Dropbox has its extended fingers right across the planet, both as a tool for individuals and for business.

This all makes Dropbox a familiar presence. It has, since its inception in 2007, entered our working lives, many of us using it daily, to augment our communications and store our documents and files. Dropbox has a hand outwards from our computer into the Cloud and beyond. Dropbox as a company has done something very special. It has created a sense of trust between the Cloud repository, that is Dropbox, and ourselves – the consumers of that repository. Consequently, we trust Dropbox with some of our most sensitive and personal data. I addition to this, we allow Dropbox to be a conduit for communication of those files with other parties.

This heightened profile and prolific presence throughout our personal and working lives means that Dropbox has entered the sights of the cybercriminal. Couple this with our trust in the Dropbox brand, the fact that Dropbox communicates with us directly into our email inbox, as well as communicate to contacts via Dropbox, and you have the perfect storm for phishing. Below are some of the ways that Dropbox has, and is, being used for phishing.

A Box, Within a Box

In this phishing scam, first reported by Symantec, a user receives an email which looks very much like it is from Dropbox support. The email usually warns that a file has been sent to them, which is too big to email. It directs the user to ‘click on a link’ to access the file in Dropbox.

Once the user clicks on the link, they are taken to a spoof Dropbox page. Ironically, this is hosted within Dropbox itself. The spoof page request that you login. If you enter your credentials, they are then stolen by the cybercriminal behind the attack. In some attacks, the hacker also offers login using social sites like Google and Outlook, hoping to harvest other login credentials. Once they have these credentials, they then have a user’s Dropbox (or another platform) access. In the meantime, the user is redirected to the real Dropbox login.

This type of phishing exercise relies on several things:

Your familiarity with the brand of Dropbox

Your trust in the brand of Dropbox

Your curiosity in wanting to know what the mystery file is

Often a sense of urgency will be built into the email message too

Many phishing scams rely on this mix of trust and curiosity to get you to click on a link, or download a malicious attachment. The cybercriminal using our own psychology against us to trick us into behaving in a certain way.

Using a Dropbox Phishing Rod

Another scam, based on Dropbox but again employing trust as the lever to perform the phishing, is based on using another trusted company to elicit specific user behavior. An example of this scam was the recent phishing attack which was based on a spoof version of the Better Business Bureau site. The site sent emails out to individuals which looked exactly like they were sent from the FBI (another trusted organization in the loop). The email asked the user to click on a link, which took them to a spoof Dropbox site. The file on the site contains malware, most recently this has been ransomware, and if downloaded, can install on the user’s computer.

Variations on a Theme

Phishing does not use a static approach. Cybercriminals will create new variations on a successful theme. For example, the phisher knows that adding a degree of urgency into a spoof email is more likely to get a user to click on a link. If they mix this urgency with fear, such as financial loss, or compromise of an account, even better. Add to this a well-known and trusted brand, and you have created the perfect landscape to spoof an individual. Dropbox phishing uses all of these tricks within a number of mixed themes. Examples could be a Dropbox phishing campaign that asked users to click on a link to download ‘urgent and highly sensitive’ documents. Another may be a simple Dropbox share alert. Whichever theme they chose to use, they will always look like legitimate Dropbox emails. It is this mastery of design that sets aside a successful phishing email, from a highly successful phishing email.

Being able to distinguish between a legitimate Dropbox email and a spoof Dropbox email is something that can be taught. Security and phishing awareness is one of the best ways to mitigate the risk of credential loss and malware infection. The Infosec Institute has created a phishing awareness and training tool called ‘PhishSim’.

This easy to use Cloud-based tool gives you the ability to create your own Dropbox phishing simulation to train your users to recognize spoof Dropbox emails. This helps your organization to prevent malware infection and stop the loss of Dropbox and other social media login credentials.

Susan has worked in the IT security sector since the early 90s; working across diverse sectors such as file encryption, digital rights management, digital signing, and online identity. Her mantra is that security is about human beings as much as it is about technology. She tweets @avocoidentity

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

− =

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam